While cloud computing may reduce costs, it introduces new layers of complexity that must be managed by your company’s IT, legal and executive personnel.

When it
comes to data security and cloud computing, many companies indulge in magical
thinking: They envision the cloud as a single type of computing platform guarded
by service providers that secure the data and think through the tough issues. In
fact, while cloud computing may reduce costs, it introduces new layers of
complexity that must be managed by your company’s IT, legal and executive
personnel.

The reality
is that cloud computing presents a spectrum of choices. At one extreme is
limited outsourcing, in which the company retains responsibility for most computer
security, including configuring server operating systems and the data center
firewall—but not the physical security of the cloud data center itself. In this scenario, your IT
department must secure all applications and databases, oversee security patch
management, and be prepared for all forms of cyberattack and incident responses.

At the other
extreme, the cloud provider supplies virtually all of the servers, applications
and security.

In any
corporate network, IT will likely be working with a mix of environments, some
behind the firewall and not in the cloud at all, and others at various points
along the spectrum. Since rules for managing computer security risks vary for each
situation, it’s critical for managers to have an up-to-date matrix showing
which environments are in the cloud and which are not—and, for the latter, to
delineate which security functions must be handled by the provider, and which
by the company.

Provider
contracts must clearly state provider security obligations and responsibilities.
That said, be forewarned that many recent hacking exploits relate to systems
and processes normally retained by the company. See the following examples:

· Phishing attacks—whereby an attacker sends an infected
email
to employees—bypass most forms of perimeter security. The best way to thwart
such attacks is via user education and good incident-response
escalation policies.

· SQL injection attacks—whereby an attacker attempts to gain
rights to a server by injecting code into an application running on that server—can
be prevented by writing good application code and testing
its security, which is not normally part of a cloud provider contract.

As a result,
granularly defining responsibility for each risk, environment by environment, is
the cornerstone for safeguarding the whole, as is defining the security
measures that need to be taken for each risk.

Here’s a
further complication: Cloud providers often can reduce cost in part by
transferring data to the most efficient location in the stack: an array of their
own and subcontractors’ global data centers. Therefore, pay close attention to
contract clauses that allow the use of subcontractors and far-flung locations.

Unless your company
knows which specific entities will be storing your data and where it will be
stored, it will be difficult to understand and assess provider security staff,
skills and functions. Giving providers free rein to transfer data can also lead
to violations of European Union guidelines and other data privacy issues.

Technically,
cloud providers may slice and dice a company’s data pertaining to a single
application, sending different data to different locations. Clearly, such
practices can greatly complicate business-continuity measures. Closely
scrutinize cloud provider service-level agreements to understand how the
provider intends to ensure computing and data availability if data are
distributed across the stack.

Quality and Response

Quality and
speed of response are key components of any security system. Incident response components
include the ability to:

· image
affected servers;

· interview
IT staff ;

· dump
server memory;

· copy
off and analyze security logs;

· increase
the robustness of logging during an attack;

· restore
backup tapes;

· monitor
traffic during an attack through placement of sniffers; and

· insert
“honey pot” servers into the network to ensnare the attacker, as well as other
intrusive techniques.

During a denial of service attack—in
which attackers flood the network with irrelevant data or requests—great
coordination is needed among the cloud provider, upstream Internet service
provider and the affected company to try to divert or filter out irrelevant
traffic. Whether the cloud provider will or can do some or all of these things quickly—and
even whether its staff is qualified to assist—must be explored in advance.

Data
distribution across the global stack can complicate incident response,
especially if the provider has contractual rights to change the locations of
data storage based purely on its own efficiency.

In summary,
cloud computing is not a security silver bullet. Instead, it introduces many
complexities and fluidity into the mix. Managing the risks demands careful
thought, clearly defined lines of responsibility and much parsing of legal fine
print.

Eric Friedberg is co-president of
Stroz Friedberg, a global digital risk-management and investigations firmed
headquartered in New York. An expert in cybercrime response, computer forensic
investigations and electronic discovery, Friedberg is a former assistant U.S attorney
in the U.S. Attorney’s Office for the Eastern District of New York. He can be
reached at efriedberg@strozfriedberg.com.